Beruflich Dokumente
Kultur Dokumente
To cite this article: Kunal Sharma , Amarjeet Singh & Ved Prakash Sharma (2009) SMEs and Cybersecurity Threats in E-
Commerce, EDPACS: The EDP Audit, Control, and Security Newsletter, 39:5-6, 1-49, DOI: 10.1080/07366980903132740
Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.
This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions
THE EDP AUDIT,
encounter while carrying out transactions over the web. The paper provides a
comprehensive coverage of highly specialized electronic attacks that are on
the increase in the electronic environment where SMEs (Small and Medium
Enterprises) dealing in E-Commerce carry out their transactions. It is a
descriptive account of various threats like client/server security threats as
well as cyber identity thefts which have become quite infamous over the years
and is invasive and fastest growing crime all around the world especially the
U.S. The paper draws on a variety of secondary sources both published and
unpublished. Recently the infamous client server attacks like Denial of Service
(DoS) especially Distributed Denial of Service attacks made people aware of
the importance of providing available data and service securely to users.
Cyber security threats like website defacement, phishing, pharming, login
attacks etc. have created a distrustful environment while making it very
hard for small and medium-sized online service providers(SMEs) to compete
with both established online and physically present service providers. It pre-
sents a review of literature developed from secondary sources. Cyber security
threats are of immense concern to online users indulging in E-Commerce,
online service providers, governments, and law enforcement agencies. This
paper provides a useful overview of a scenario of cyber security threats in E-
Commerce in the SME sector; and, from this summary of the present situation,
makes an attempt to enlighten the users about various threats which they can
encounter while carrying out their electronic transactions. An analysis of the
security threats such as this can also assist an organization in formulating an
effective security plan.
CYBERSECURITY IN E-COMMERCE
E-Commerce is defined by Kalakota and Whinston (1999) as
‘‘. . .buying and selling of information, products and services via
computer networks.’’ The World Wide Web (WWW) is the fastest
growing part of the Internet with the growth in E-Commerce. The
WWW is also the most susceptible part to be attacked (Rolf, 2002;
Scott & Sharp, 2002; Rao, 2004). The Internet is certainly more
than ever becoming a part of everyone’s daily life. Simple things of
everyday use such as shopping, sharing files, chatting, and work-
ing now happen over the Internet. Consumers prefer to shop and
buy on the Internet for three major reasons—convenience, time-
savings, and comparative shopping (Kalkota & Whinston, 1999)—
but today, the Internet environment is much less friendly and
If you have information of interest to EDPACS, contact Dan Swanson (dswanson_2008@yahoo.ca). EDPACS (Print ISSN 0736-
6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800,
Philadelphia, PA 19106. Periodicals postage is paid at Philadelphia, PA and additional mailing offices. Subscription rates: US$
300/£181/E240. Printed in USA. Copyright 2009. EDPACS is a registered trademark owned by Taylor & Francis Group, LLC. All
rights reserved. No part of this newsletter may be reproduced in any form — by microfilm, xerography, or otherwise — or
incorporated into any information retrieval system without the written permission of the copyright owner. Requests to publish
material or to incorporate material into computerized databases or any other electronic form, or for other than individual or
internal distribution, should be addressed to Editorial Services, 325 Chestnut Street, Suite 800, Philadelphia, PA 19106. All
rights, including translation into other languages, reserved by the publisher in the U.S., Great Britain, Mexico, and all countries
participating in the International Copyright Convention and the Pan American Copyright Convention. Authorization to photo-
copy items for internal or personal use, or the personal or internal use of specific clients may be granted by Taylor & Francis,
provided that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00+$0.00. The fee is
subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of
payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and are only used for
identification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS, Taylor & Francis
Group, LLC., 325 Chestnut Street, Suite 800, Philadelphia, PA 19106.
2002). The most familiar DoS attacks are aimed at the computer’s
network bandwidth or connectivity. Bandwidth attacks flood the
network attacked with a very high volume of traffic, resulting in
very less resources for the end user (Stein, 2002). Laudon and
Traver (2001) describe a DoS attack as an act that floods a website
with useless traffic with the result that it overwhelms the network.
Ghosh (1998, p. 20) calls a DoS attack as ‘‘an ultimate Internet
security nemesis which is solely aimed at making services unavail-
able.’’ A DoS attack results when access to a computer or network
resource is intentionally blocked or degraded as a result of mal-
icious action taken by another user. On the WWW, a DoS attack is an
incident in which a user or organization is deprived of the services
of a resource they would normally expect to have. An example may
be when there are enormous transactions on the SME’s website; the
losses that may arise owing to unavailability are severe in terms of
financial losses and reputation losses. DoS attacks involve the
intentional impairment or blocking of legitimate access by an
unauthorized party (e.g., by flooding the victim site with spurious
traffic) (Furnell, 2006). DoS has risen to become one of the most
Downloaded by [UQ Library] at 19:30 10 November 2014
which uses many computers to launch a coordinated DoS attack against one or more
targets. Using client/server technology, the perpetrator is able to multiply the effec-
tiveness of the Denial of Service significantly by harnessing the resources of multiple
unwitting accomplice computers, which serve as attack platforms. Typically a DDoS
master program is installed on one computer using a stolen account. The master
program, at a designated time, then communicates to any number of ‘‘agent’’ pro-
grams, installed on computers anywhere on the internet. The agents, when they
receive the command, initiate the attack. Using client/server technology, the master
program can initiate hundreds or even thousands of agent programs within seconds.
(Stein, 2002)
The TCP SYN attack focuses on exhausting the target PC’s memory
and the ICMP smurf attack focuses on exhausting network band-
width (Bolz, Romney, & Rogers, 2004, p. 72). Different DDoS
attack tools employed by ‘‘cybercrooks’’ include Trin00, which
can be installed on Linux or Solaris; Tribe Flood Network, which
generates a TCP SYN as well as smurf flood; Tribe Flood Network
2000, which can be deployed on almost all UNIX flavors as well as
Windows to generate a ICMP, UDP, or TCP SYN flood; as well as
Stacheldraht, which combines features of Trin00 and Tribe Flood
Network and normally attacks systems running Linux or Solaris
(Criscuolo, 2000). Cybercrooks keep on constantly using their
creativity to invent malicious programs that may be used to launch
Denial of Service attacks.
Unfortunately, website defacement has also become a significant
problem, and sites running unpatched Web server software repre-
sent a relatively easy target, even for novice crackers (Furnell,
2006). The cracker may leave his or her mark on the homepage of
an SME website that suffers from homepage website defacement
and it may look like ‘‘This site is cracked by . . .. . .. . ..’’ Although it
Downloaded by [UQ Library] at 19:30 10 November 2014
Robinson (2003) says that some of the factors that serve to under-
mine the effectiveness of the patching process leading to inconsis-
tent usage holes are:
Broad scope
Cracking Breaking into a computer database Wiring another’s funds
personal or business
Employee Employees utilizing or selling their Pilfering office files
theft SME database for fraudulent
means or prior permission
Dictionary Automatically search all dictionary Checking all words A–Z
programs words for a possible password
Spyware Software, often disguised, that may Weather bug, Gator
install itself with legitimate or free
downloads to collect personal
information
Skimming Copying information from a Credit cards
magnetic strip and subsequently
using the information to create a
duplicate
Tapping Monitoring computer systems to Restaurant computers for credit
extract key information card numbers
Pre-approved Taking another’s pre-approved Mailed credit card offers
credit and SSN to open an
Downloaded by [UQ Library] at 19:30 10 November 2014
unauthorized account
Mass Peer-to-peer networks built to Peer-to-peer sites (e.g., Kazaa,
rebellion exchange music or media files. Napster)
At present, the future of such
sites is unclear, and some users
are being taken to court (e.g., by
the music and film industry)
Narrow scope
Carelessness Prowling for users who use their Saved passwords, logoff may not
computer or Internet access go through
carelessly
Disposal Obtaining information from Dumpster-diving, leaving
abuse another’s disposed/ sold personal information on old
hardware or software computer via junk-yard, garage
sale
Autofill abuse Obtaining information from Type in a few letters until cleared
computer programs that
‘‘memorize’’ and complete typing
on another’s machine
Phishing Establishing a fake website ‘‘Official’’ request for SSN
designed to look like a SME’s
actual site or sending official-
looking messages
Phony A phony machine that copies ATM
personal information
Posing Unrightfully representing another Bank rep., computer exams
individual
Pranking Posing as another on-line to play a E-dating
joke or for fun
Fraudulent Posting a job that does not exist to ‘‘Manager Wanted: Apply Online’’
job posting collect personal information
Shoulder Peeking for information as another Passwords, account numbers
surfing enters it on a computer screen;
physically watching passwords
intercepting Receiving on-line traffic intended IM (Instant Message), e-mail
for another
Employee Abuse
Employee abuse may cause internal threats or ‘‘insider threats’’
when disgruntled employees who think they have not been treated
properly and non-compliant (non-malicious) employees disclose
confidential information. An insider threat may be defined as
threat in an IT infrastructure context as ‘‘a set of circumstances
that has the potential to cause loss or harm’’ (Magklaras, Furnell,
Downloaded by [UQ Library] at 19:30 10 November 2014
Cracking
The term hacking is often used usually to describe the act of intrud-
Downloaded by [UQ Library] at 19:30 10 November 2014
Social Engineering
Popularized by Kevin Mitnick, one of the most noted crackers of
his time, social engineering is an assortment of tricks used to man-
euver people into performing actions or disclosing secret
information. Social engineering attacks take advantage of human
interaction; social skills are used to trick the victim into a compro-
mising action, such as revealing personal information or opening
an infected e-mail message (Chen & Davis, 2006). Social engineer-
ing can be pooled with many of the other attack methods and tools to
compromise security for just about any purpose. Even though
social engineering attacks are effortless and low tech, they can be
unexpectedly successful if executed properly. As per Mitnick, a
social engineering attack is much like the software development
lifecycle (SDLC) and consists of a Social Engineering Cycle which
Phishing/Pharming
E-Commerce is most affected by phishing and pharming. The
Federal Trade Centre defines phishing as ‘‘a high-tech scam that
uses spam or pop-up messages to deceive you into disclosing your
credit card numbers, bank account information, Social Security
number, passwords, or other sensitive information‘‘ (Phishing
Dangers, 2005). The odd spelling of these terms relates to their
origin among hackers early in the history of personal computers
and the Internet, when crackers began to substitute the letters ‘‘ph’’
for ‘‘f’’ (McClain, 2006). Phishing is a variant of ‘‘fishing’’ where a
sophisticated cracker lures to ‘‘fish‘‘ for a user’s financial informa-
tion and passwords. In the cyberworld, phishing and pharming are
terms-of-art describing criminals’ use of a combination of technol-
ogy and social engineering to deceive users into revealing sensitive
information, allowing the perpetrator to fraudulently access the
victim’s financial resources. Advanced phishing examples include
misappropriating the ‘‘look and feel’’ of a well-known or esteemed
SME website, inducing a trusting user to disclose sensitive data,
such as social security or credit card number, passwords, account
Spyware/Adware/Malware
Spyware is the main cause of cyber identity theft. According to De
Argaez (2004), 90% of all computers are now infected with some
Downloaded by [UQ Library] at 19:30 10 November 2014
Password/Login Attacks
Security systems often fail because users are human. Kevin
Mitnick, one of world’s most controversial computer crackers,
mation to run credit checks and take other steps to search out
all other accounts. Critically, a fraudulent site may not even
need to masquerade as another valid site in order to get this
‘‘global’’ password; all it need do is induce the user to create an
account, which several users will be keen to do if they are
offered some prize (e.g., free e-mail or some promised coupon
good at amazon.com). Even though there have been advances in
security technology, one aspect remains constant: passwords
still play a central role in system security. The difficulty with
passwords is that all too often they are the easiest security
mechanism to defeat.
Another way of launching login attacks is by password crack-
ing. Most crackers gain illegal entry into remote computer sys-
tems by guessing passwords. It is surprising that so many system
accounts have weak passwords. Most crackers gain access by
guessing people’s passwords using common names or combina-
tions of letters. Also, password generation programs are used
that create passwords, usually a dictionary word, to try to gain
access. If access is denied, another password is generated and the
process is repeated. The motive of password cracking is to help a
user recover a forgotten password, but of late it is being used to
gain unauthorized access to a system, or as a preventive measure
by system administrators to check for easily crackable pass-
words. Password cracking, which is one the most powerful pass-
word attacks, can be performed if the attacker can obtain the
password file (Bidgoli, 2006). Computer systems keep a list of
user accounts and passwords in a password file, but the informa-
tion is encrypted for protection against attackers. If a password
cracker can have access to the password file, the cracker has the
benefit of time (translating into more CPU cycles) to crack the
passwords by brute force. Brute-force password guessing can be
very time consuming but is often not essential (Chen & Davis,
2006). There was a surge in brute-force SSH (Secure Shell) attacks
according to the statistics provided by denyhosts.net with the total
number of SSH attacks being 10,000 although the daily norm was
roughly 2,000 (Thurston, 2008).
cate fraud.
Consider security practices as a key criterion when selecting
information services providers.
Figure 3 Roadmap for combating Denial of Service and Distributed Denial of Service attacks.
Attack Mechanism
monitored mark.
Rate-limiter: limit the tempo of all network traffic to the vic-
tim and give the highest precedence to valid traffic.
NetBouncer (Johnson, Croall, & Thomas, 2003) provides for
synthetic authentication and provides client-legitimacy-based
DDoS filtering detecting valid clients and only serving their
packets. It carries out packet-based tests, flow-based tests as
well as application and session-oriented legitimacy tests. In the
steps taken to authenticate the client, NetBouncer successfully
trounces spoofed attacks. Large numbers of agents can never-
theless corrupt service to valid clients, creating flash crowd
effect. Some genuine clients do not support certain authenticity
tests (i.e., ping test). Kill-bots utilizes a stateless authentica-
tion, offers solutions to serve valid users who do not respond to
CAPTCHAs, and optimizes the balance amid authentication
and service. It also makes better the performance throughout
Flash Crowds. All those make Kill-bots a proficient solution for
online Web business, including SMEs. Low Bandwidth Turing
services to be unused.
At present, the most viable way to handle this sort of condition is
utilizing the Turing test mechanism as in Kill-bots. The first effort to
generate text-based CAPTCHA was prepared by Godfrey (2002).
The graphical CAPTCHAs are mainly extensively utilized today. It
comprises a picture with some despoiled or distorted image, which
will take up a lot of precious bandwidth particularly in the case of
the attack. In the case of DDoS attack, transferring those images
from the server to the client for authentication in fact consumes
reasonably significant bandwidth.
One probable low-bandwidth Turing test is utilizing text-based
question response, in view of the fact that computational linguistics
is one of the most famous research disciplines in artificial intelli-
gence, and at the same time, the Turing test in text format as a rule
consumes much less bandwidth. Although humans find it effortless
to comprehend the natural languages, computers do not. The sub-
sequent troubles make it quite complicated for natural language
processing (Natural Language Processing, n.d.).
1. Verbal communication segmentation. In the majority of
spoken languages, the sounds representing succeeding letters
merge into each other, so the translation of the analog signal to
discrete characters can be a extraordinarily difficult process.
Moreover, in natural speech there is hardly any hiatus
between successive words; the location of those boundaries
frequently must take into account grammatical and semantical
constraints, as well as the context ambiguity
2. Text segmentation. Several written verbal communications,
like Chinese and Thai, do not have signal word boundaries, so
any important text parsing generally necessitates the detec-
tion of word boundaries, which is frequently a non-trivial task.
3. Word sense disambiguation. Several words have more than
one meaning; we have to decide on the meaning that makes the
most logic in context.
4. Syntactic ambiguity. The grammar for natural languages is
vague, meaning there are frequently multiple probable parse
trees for a specified sentence. Selecting the most suitable one
COMBATING SPYWARE
Downloaded by [UQ Library] at 19:30 10 November 2014
Esafe Gateway
Spyware download blocking
Spyware ID and signature blocking. This layer utilizes a blend
of conventional virus-style signature database with smart, heur-
istic technologies made available by the Proactive Security Engine.
Spyware communications blocking (The Spyware Epidemic, 2004).
AVERTING PHISHING
Phishing may be difficult to detect because phishers may imitate a
SME site for example, which appears very convincing to the users,
and they may persuade them to carry transactions with them.
Commercial outfits including SMEs engaged in E-Commerce in
collaboration with government institutions have developed phish-
ing awareness websites including Anti-Phishing Working Group,iv
Better Business Bureau,v and Microsoft’s Consumer Awareness
Page on Phishing.vi
However, for SMEs the best way to guard against phishing
threats is to avoid providing private information to a phony
e-mail request. If a user considers the request might be valid, he
or she should call the SME’s customer service department to verify
this before providing any information.
SMEs entering the global marketplace must understand that
phishing is not directly an exploitation of susceptibility in the Web
browser. Nevertheless, it is a browser-based attack and is simply
one of the fastest growing mechanisms of attack on the WWW.
Downloaded by [UQ Library] at 19:30 10 November 2014
CONCLUSION
In E-Commerce, cybersecurity threats are increasing; and they are
not likely to vanish in the times to come. All users shopping or
carrying out E-Commerce transactions on the Internet must be
mindful of the potential downside of going online and exchanging
electronic information (Close et al., 2006). There is an upside in
E-Commerce; that is, the world consumer market is easy to reach
but there is a downside that along with the legitimate consumers all
kinds of malicious users may be trying to knock on the door (Ghosh,
1998). With the Internet permeating every aspect of society and
the economy, consumers are also becoming increasingly aware of
using this technology (Smith, 2004). E-Commerce firms along with
other governmental organizations such as consumer protection
forums have made a concerted beginning to participate in stronger
defenses and controls for better security. They need to synchronize
co-operation within themselves, which has a major role to play for
better security. Companies need to strengthen their knowledge
bases and skill sets of their employees as well as their degree of
compliance so that security can be tightened. SMEs that engage in
E-Commerce must do everything possible to protect consumers’
personal and financial information in B2C transactions as well as
proprietary information of business partners in B2B applications
(Smith & Lias, 2007). In order to defeat the malicious intent of the
crackers and ‘‘cybercrooks’’ an important feature that needs due
attention is cybersecurity in E-Commerce so that their attempts can
be foiled. Nowadays the information systems are under a threat
Notes
i. The website http://www.attrition.org/mirror/attrition/ also
keeps a mirror of the defaced websites.
ii. Different types of software security holes in various
programs with the description of the flaws are available at
http://www.scary.beasts.org/security/.
iii. cf. http://www.keyghost.com/sx/.
iv. cf. http://www.antiphishing.org/.
v. cf. http://www.bbbonline.org/idtheft/phishing_cond.asp.
vi. cf. http://www.microsoft.com/athome/security/email/phishing.
mspx.
References
Alsaid, A., & Mitchell, J. C. (2005). Dynamic content attacks on
digital signatures. Information Management and Computer
Security, 13(4), 328–329.
Anderson, R. H., Bozek, T., Longstaff, T., Meitzler, W., Skroch, M., &
Wyk, V. K. (2000). Research on mitigating the insider threat
to information systems—#2. Retrieved July 20, 2007 from http://
www.rand.org/pubs/conf_proceedings/CF163/CF163.pdf.
Anti Phishing Working Group (2008). Phishing activity trends report
Q1/2008. Retrieved September 3, 2008 from http://www.anti
phishing.org/reports/apwg_report_Q1_2008.pdf.
Armstrong, L. H., & Forde, J. P. (2003). Internet anonymity prac-
tices in computer crime. Information Management & Computer
Security, 11(5), 209.
Ashrafi, N., & Kuilboer, P. J. (2001). Managing network security. In
M. Khosrow-Pour (Ed.), Managing information technology in a global
economy (pp. 122–124). Hershey, PA: Information Science
Publishing.
Bass, T., Freyre, A., Gruber, D., & Watt, G. (1998). E-mail bombs
and countermeasures: Cyber attacks on availability and brand
integrity. Retrieved June 18, 2007 from http://www.silkroad.
com/papers/pdf/ieee-network-email-bombs.pdf.
20(1), 50–57.
Caelli, J. W. (1994). Security in open and distributed systems.
Information Management and Computer Security, 2(1),17–18.
CERT (1991). CERT advisory CA-1991-19 AIX TFTP daemon vul-
nerability. Retrieved May15, 2007 from http://131.111.8.10/
pub/webmirrors/www.cert.org/advisories/CA-1991-19.html.
CERT, CSO, & ECTF. (2007). Over confidence is pervasive
among security professionals. Retrieved May19, 2008 from
http://www.sei.cmu.edu/about/press/releases/2007ecrime.html.
Chang, R. K. (2002). Defending against flooding-based distributed
denial-of-service attacks: A tutorial. IEEE Commununications
Magazine, 40(10), 42–51.
Chen, M. T., & Davis, C. (2006). An overview of electronic attacks.
In P. Kanellis, E. Kiountouzis, and D. Martakos (Eds.), Digital
crime and forensic science in cyberspace (pp. 1–17). Hershey, PA:
Information Science Publishing.
Chinchani, R., Iyer, A., Ngo, H. Q., & Upadhyaya, S. (2005).
Towards a theory of insider threat assessment. In Proceedings
of international conference on dependable systems and networks,
(pp. 67–78). Boston: ACM Press.
CircleID Reporter (2008). U.S. slammed as major host for cybercrime.
Retrieved September 5, 2008 from: http://www.circleid.com/
posts/us_slammed_major_host_cybercrime/.
Cisco (2007). Defining strategies to protect against TCP SYN
denial of service attacks. Retrieved August 14, 2007 from
http://cio.cisco.com/warp/public/707/4.html.
Clarke, R. (1999). Internet privacy confirms the case for interven-
tion. Communications of the ACM, 42(2), 56–62.
Close, A. G., Zinkhan, G. M., & Finney, R. Z. (2004). Cyber-identity
theft: A conceptual model and implications for public policy.
Retrieved December 26, 2007 from http://faculty.unlv.edu/
angeline/Close%5B1%5D%5B1%5D.Zinkhan.CyberIDTheft.pdf.
Close, A. G., Zinkhan, G. M., & Finney, R. Z. (2006). Cyber-identity
theft. In M. Khosrow-Pour (Ed.), Encyclopedia of e-commerce,
e-government, and mobile commerce (pp. 168–171). Hershey,
PA: Information Science Publishing.
insider-threats-more-costly-says-study.
Hong, S. K., Chi, P. Y., Chao, R. L., & Tang, H. J. (2003).
An integrated system theory of information security
management. Information Management & Computer Security,
11(5), 243–247.
Hubbard, C. J., & Forcht, A. K. (1998). Computer viruses: How
companies can protect their systems. Industrial Management &
Data Systems, 98(1), 12–16.
Inside spyware: A guide to finding, removing, and preventing
online pests. (n.d.). Retrieved July 7, 2008 from http://
www.intranetjournal.com/spyware/index.html.
Ioannidis, J., & Bellovin, S. M. (n.d.). Implementing pushback: Router-
based defense against DDoS attacks. Retrieved May 16, 2008 from
http://www.cs.columbia.edu/,smb/papers/pushback-impl.pdf.
Ivens, K. (2000). Password problems. Retrieved September
16, 2007 from http://www.microsoft.com/technet/archive/
winntas/maintain/security/password.mspx?mfr=true.
Jennex, E., Walters, M. A., & Addo, A. B. T. (2004). SMEs and
knowledge requirements for operating hacker and security
tools. In M. Khosrow-Pour (Ed.), Innovations through information
technology (pp. 276–279). Hershey, PA: Information Science
Publishing.
Johnson, M. B., Croall, J. T., & Thomas, R. (2003). Netbouncer:
Client-legitimacy-based high performance DDoS filtering. In
Proceedings of DISCEX III, vol. 1, 14–25.
Kalakota, R., & Whinston, A. B. (1999). Frontiers of E-Commerce.
Singapore: Addison Wesley Longman Inc.
Kaplan, D. (2008). MTV breach impacts 5,000 employees,
successful social-engineering blamed. Retrieved September 16,
2008 http://www.securecomputing.net.au/News/105492,mtv-
breach-impacts-5000-employees-successful-socialengineering-
blamed.aspx.
Kirk, J. (2007). Elaborate ‘pharming’ attack targeted 50 banks.
Retrieved September 4, 2008 from http://www.computerworld.
com/action/article.do?command=viewArticleBasic&articleId =
9011653.
http://www.csoonline.com/analyst/report1837.html.
Rolf, O. (2002). Security Technologies for the World Wide Web.
Boston, MA: Artech House.
Savage, S., Wetherall, D., Karlin, A. R., & Anderson, T. (2000).
Practical network support for IP traceback. SIGCOMM,
56:295–306.
Schuba, C. L., Krsul, I. V., Kuhn, M. G., Spafford, E. H., Sundaram,
A., & Zamboni, D. (1997). Analysis of a denial of service attack on
TCP. In Proceedings of the IEEE Symposium on Security and Privacy,
Oakland, CA (pp. 208–223). Retrieved May 7, 2008 from https://
www.cerias.purdue.edu/techreportsssl/public/97-06.ps.
Scott, D., & Sharp, R. (2002). Developing secure web applications.
Retrieved April 12, 2007 from http://www.recoil.org/,djs/
developingsecure.pdf.
SecuriTeam (1999). Kiss of death—A new Denial of Service
attack. Retrieved 12 July 2009 from http://www.securiteam.
com/windowsntfocus/2MUPQRFRPK.html.
Sequeira, S. (n.d.). Understanding and preventing spyware in
the enterprise. Retrieved July 7, 2008 from http://www.
tippingpoint.com/resources_whitepapers.html.
Shannon,V., & Moore, D. (2004). The spread of the Witty
worm. CAIDA, Tech. Rep. Retrieved 7 July 2008 from http://
www.caide.org/research/security/witty
Shimonski, R. (2002). Introduction to password cracking. Retrieved
April 30, 2007 from http://www-106.ibm.com/developerworks/
library/s-crack/.
Skoudis, E. (2005). Mission impossible: Techknowledge. Information
security. Retrieved July 8, 2008 from http://informationsecurity.
techtarget.com/magItem/1,291266,sid42_gci1101272,00.html.
Smith, D. A. (2004). Cybercriminal impacts on online
business and consumer confidence. Online Information Review,
28(3), 224.
Smith, D. A., & Rupp, T. W. (2002). Issues in cybersecurity:
Understanding the potential risks associated with hackers/
crackers. Information Management & Computer Security, 10(4),
178–181.
writeup.jsp?docid=2004-070618-1513-99&tabid=2.
Symantec (2007b). W32.Bacteria. Retrieved September 5,
2008 from http://www.symantec.com/security_response/
writeup.jsp?docid=2006-051110-5539-99&tabid=2.
Symantec (2007c). Spyware.KeyKey. Retrieved September 5,
2008 from http://www.symantec.com/security_response/
writeup.jsp?docid=2004-070214-2341-99&tabid=2.
The spyware epidemic: Dealing with ‘‘legal’’ malicious code. (2004).
Retrieved July 8, 2005 from http://wp.bitpipe.com/resource/
org_975958765_149/WP_Aladdin_Security_pdf_May2005.pdf.
Thompson, J. F. (2002, November–December). Identity, privacy,
and information technology. EDUCAUSE Review (pp. 64–65).
Retrieved May 21, 2007 from http://www.educause.edu/ir/
library/pdf/erm0267.pdf.
Thornburgh, T. (2004). Social engineering: The ‘‘dark art.’’ In
Proceedings of the 1st annual conference on information security curri-
culum development InfoSecCD, (pp. 133–135). Boston: ACM Press.
Thurston, R. (2008). Brute-force SSH attacks surge. Retrieved
September 5, 2008 from http://www.scmagazineuk.com/Brute-
force-SSH-attacks-surge/article/110195/.
Urbach, R. R., & Kibel, G. A. (2004). Adware/Spyware: An update
regarding pending litigation and legislation. Intellectual Property
& Technology Law Journal, 16(7), 12.
Viruslist (2007). Trojan-Downloader.Win32.Banload.dcd. Retrieved
September 4, 2008 from http://www.viruslist.com/en/viruses/
encyclopedia?virusid=177737.
Volonino, L., & Robinson, S. (2004). In Natalie E. Anderson (Ed.),
Principles and practice of information security, Hoboken, NJ:
Prentice Hall, pp. 63–171.
Warren, M., & Hutchison, W. (2001). Cyber terrorism and
the contemporary corporation. In G. Dhillon (Ed.), Information
security management—Global challenges in the new millennium
(pp. 60–66). Hershey, PA: Information Science Publishing.
Warren, M., & Hutchison, W. (2003). A security risk management
approach for E-Commerce. Information Management & Computer
Security, 11(5), 238–247.
Publishing.
Zone-h (2008). Yet another Microsoft defacement. Retrieved
September 4, 2008 from http://www.zone-h.org/content/view/
14980/1/.